Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2025/VULN265 _____________________________________________________________________ DATE : 29/04/2025 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Apache Tomcat versions prior to 11.0.6, 10.1.40, 9.0.104. ===================================================================== https://lists.apache.org/thread/q4ld9xtv3zrvvs3ykp4b2f9j2tvhq6bl https://lists.apache.org/thread/x7l5ldwkson33bf4b3s3738lwjql618z _____________________________________________________________________ CVE-2025-31650 Apache Tomcat - DoS via invalid HTTP prioritization header Severity: High Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.0-M2 to 11.0.5 Apache Tomcat 10.1.10 to 10.1.39 Apache Tomcat 9.0.76 to 9.0.102 Description: Incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request which created a memory leak. A large number of such requests could trigger an OutOfMemoryException resulting in a denial of service. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 11.0.6 or later - Upgrade to Apache Tomcat 10.1.40 or later - Upgrade to Apache Tomcat 9.0.104 or later Note: This issue was fixed in Apache Tomcat 9.0.103 but the release vote for the 9.0.103 release candidate did not pass. Therefore, although users must download 9.0.104 to obtain a version that includes a fix for this issue, version 9.0.103 is not included in the list of affected versions. Credit: The vulnerability was identified by the Tomcat security team. History: 2025-04-28 Original advisory References: [1] https://tomcat.apache.org/security-11.html [2] https://tomcat.apache.org/security-10.html [3] https://tomcat.apache.org/security-9.html _____________________________________________________________________ [SECURITY] CVE-2025-31651 Apache Tomcat - Rewrite rule bypass CVE-2025-31651 Apache Tomcat - Rewrite rule bypass Severity: Low Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.0-M1 to 11.0.5 Apache Tomcat 10.1.0-M1 to 10.1.39 Apache Tomcat 9.0.0.M1 to 9.0.102 Description: For a subset of unlikely rewrite rule configurations, it was possible for a specially crafted request to bypass some rewrite rules. If those rewrite rules effectively enforced security constraints, those constraints could be bypassed. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 11.0.6 or later - Upgrade to Apache Tomcat 10.1.40 or later - Upgrade to Apache Tomcat 9.0.104 or later Note: This issue was fixed in Apache Tomcat 9.0.103 but the release vote for the 9.0.103 release candidate did not pass. Therefore, although users must download 9.0.104 to obtain a version that includes a fix for this issue, version 9.0.103 is not included in the list of affected versions. Credit: The vulnerability was identified by COSCO Shipping Lines DIC. History: 2025-04-28 Original advisory References: [1] https://tomcat.apache.org/security-11.html [2] https://tomcat.apache.org/security-10.html [3] https://tomcat.apache.org/security-9.html ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================